rfc:secure_unserialize

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:secure_unserialize [2014/11/17 00:55]
stas
rfc:secure_unserialize [2017/09/22 13:28] (current)
Line 3: Line 3:
   * Date: 2013-03-29    * Date: 2013-03-29 
   * Author: Stas Malyshev, stas@php.net   * Author: Stas Malyshev, stas@php.net
-  * Status: Voting+  * Status: Implemented
   * First Published at: http://wiki.php.net/rfc/secure_unserialize   * First Published at: http://wiki.php.net/rfc/secure_unserialize
   * Patch: https://github.com/php/php-src/pull/315   * Patch: https://github.com/php/php-src/pull/315
Line 36: Line 36:
 $data = unserialize($foo, array("MyClass", "MyClass2"));  $data = unserialize($foo, array("MyClass", "MyClass2")); 
 </code> </code>
 +
 +See API Update below.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 61: Line 63:
 </doodle> </doodle>
  
 +
 +===== API change =====
 +
 +After some thought and discussion, I have decided to slightly change the API:
 +
 +<code php>
 +// this will unserialize everything as before
 +$data = unserialize($foo); 
 +// this will convert all objects into __PHP_Incomplete_Class object
 +$data = unserialize($foo, ["allowed_classes" => false]); 
 +// this will convert all objects except ones of MyClass and MyClass2 into __PHP_Incomplete_Class object
 +$data = unserialize($foo, ["allowed_classes" => ["MyClass", "MyClass2"]); 
 +//accept all classes as in default
 +$data = unserialize($foo, ["allowed_classes" => true]); 
 +</code>
 +
 +This will allow to extend the options array in the future if we ever want to add more parameters. No objections were voiced on the list regarding this API change.
  
 ===== References ===== ===== References =====
rfc/secure_unserialize.1416185734.txt.gz · Last modified: 2017/09/22 13:28 (external edit)